On Fri, Mar 26, 2010 at 06:56:15PM -0400, Anton Kapela wrote: > In general, I avoid the potential for layer2 loops to any > user-accesible layer2 ports in a manner that many edge network and > broadband providers may find familiar -- vlan per user, tail, port, > etc. -- aggregated in a hierarchical manner within the building, > metro area, or city.
If you have 2 network jacks next to each other in a conference room, do they each get configured as a separate "user"? What happens if a user connects them together? What happens if a user plugs a desktop switch into one of them, then connects two ports on *that* switch together? > avoiding the preconditions necessary for loops/etc to pose a problem > to the agg/border/etc of a network. Don't worry about users' being Would this work in a collapsed L2/L3 core (no agg, no L3 at edge)? > After the access ports are setup and trunking per-port layer2 frames > up to the l3 edge (could be 3550, 650x, mwr-1941, etc), we have > pages of things like: When doing 1:1 VLAN:Port mapping, can you do more than 4096 VLANs/ports? Or are you doing QinQ? > A few words on this config: in what you see above, a user simply > cannot introduce enough traffic to the network (unicast) to matter > (i.e. perhaps they create an unknown unicast dest flood..), and will > be shut down if they spew enough bcast/mcast frames (thresholds set > appropriate given your expected end-user profiles). Further, only > the first 10 mac addresses can ride this bus (sorry, no LAN parties > without prior approval), mitigating concerns for CAM or vlan table > exhaustion. Lastly, no funky l3/4 acl's are required to prevent > users handing out DHCP addresses, leaking RA's, or fronting ARP as > your routers MAC address to their vlan-sharin' neighbors--simply > because they don't get to send layer2 frames to anyone but the > upstream routers control plane. Cool, but I'm not sure this will work in my non-Cisco campus environment with 10,000 edge ports. Thanks.
